[Federal Register: September 30, 2005 (Volume 70, Number 189)]
[Rules and Regulations]               
[Page 57449-57452]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr30se05-38]                         

-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 1, 2, 7, 11, and 39

[FAC 2005-06; FAR Case 2004-018; Item I]
RIN 9000-AK29

 
Federal Acquisition Regulation; Information Technology Security

AGENCIES: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Interim rule with request for comments.

-----------------------------------------------------------------------

SUMMARY: The Civilian Agency Acquisition Council and the Defense 
Acquisition Regulations Council (Councils) have agreed on an interim 
rule amending the Federal Acquisition

[[Page 57450]]

Regulation (FAR) to implement the Information Technology (IT) Security 
provisions of the Federal Information Security Management Act of 2002 
(FISMA) (Title III of the E-Government Act of 2002 (E-Gov Act)).

DATES: Effective Date: September 30, 2005.
    Comment Date: Interested parties should submit written comments to 
the FAR Secretariat on or before November 29, 2005 to be considered in 
the formulation of a final rule.

ADDRESSES: Submit comments identified by FAC 2005-06, FAR case 2004-
018, by any of the following methods:
     Federal eRulemaking Portal: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov. 

Follow the instructions for submitting comments.
     Agency Web Site: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.acqnet.gov/far/ProposedRules/proposed.htm.
 Click on the FAR case number to submit comments.     E-mail: farcase.2004-018@gsa.gov. Include FAC 2005-06, FAR 
 FAR 
case 2004-018 in the subject line of the message.
     Fax: 202-501-4067.
     Mail: General Services Administration, Regulatory 
Secretariat (VIR), 1800 F Street, NW; Room 4035, ATTN: Laurieann 
Duarte, Washington, DC 20405.
    Instructions: Please submit comments only and cite FAC 2005-06, FAR 
case 2004-018, in all correspondence related to this case. All comments 
received will be posted without change to http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.acqnet.gov/far/ProposedRules/proposed.htm
, including any personal and/or business 

confidential information provided.

FOR FURTHER INFORMATION CONTACT: The FAR Secretariat at (202) 501-4755, 
for information pertaining to status or publication schedules. For 
clarification of content, contact Ms. Cecelia L. Davis, Procurement 
Analyst, at (202) 219-0202. The TTY Federal Relay Number for further 
information is1-800-877-8973. Please cite FAC 2005-06, FAR case 2004-
018.

SUPPLEMENTARY INFORMATION:

A. Background

    American society relies on the Federal Government for essential 
information and services provided through interconnected computer 
systems. Both Government and industry face increasing security threats 
to essential services and must work in close partnership to address 
those risks. Increasingly, contractors are supplying, operating, and 
accessing critical IT systems, performing critical functions throughout 
the life of IT systems. At the same time, it is apparent that 
information technology and the IT marketplace have become truly global. 
The security risks are shared globally as well.
    Unauthorized disclosure, corruption, theft, or denial of IT 
resources have the potential to disrupt agency operations and could 
have financial, legal, human safety, personal privacy, and public 
confidence impacts. The Federal community has not focused on 
unclassified activities with regard to information technology resources 
involved in the acquisition and use of information on behalf of the 
Government. In particular, there is need to focus on the role of 
contractors in security as more and more Federal agencies outsource 
various information technology functions. Until now, regulations have 
generally been silent regarding security requirements for contractors 
who provide goods and services with IT security implications.
    This rule amends FAR parts 1, 2, 7, 11, and 39 to implement the 
information technology security provisions of the Federal Information 
Security Management Act of 2002 (FISMA) (Title III of the E-Government 
Act of 2002 (E-Gov Act)). The rule recognizes security as an important 
part of all phases of the IT acquisition life cycle. The rule focuses 
much needed attention on the importance of system and data security by 
contracting officials and other members of the acquisition team.
    The intent of adding specific guidance in the FAR is to provide 
clear, consistent guidance to acquisition officials and program 
managers; and to encourage and strengthen communication with IT 
security officials, chief information officers, and other affected 
parties.
    The Councils recognize that IT security standards will continue to 
evolve and that agency-specific policy and implementation will evolve 
differently across the spectrum of Federal agencies, depending on their 
missions. Agencies will customize IT security policies and 
implementations to meet mission needs as they adapt to a dynamic IT 
security environment.
    The rule is proposing to amend the FAR by--
     Adding the stipulation that when buying goods and services 
contracting officers shall seek advice from specialists in information 
security;
     Adding a definition for the term ``Information Security'';
     Incorporating security requirements in acquisition 
planning and when describing agency needs;
     Requiring adherence to Federal Information Processing 
Standards; and
     Revising the policy in FAR 39.101 to require including the 
appropriate agency security policy and requirements in information 
technology acquisitions.
    This is not a significant regulatory action and, therefore, was not 
subject to review under Section 6(b) of Executive Order 12866, 
Regulatory Planning and Review, dated September 30, 1993. This rule is 
not a major rule under 5 U.S.C. 804.

B. Regulatory Flexibility Act

    The changes may have a significant economic impact on a substantial 
number of small entities within the meaning of the Regulatory 
Flexibility Act, 5 U.S.C. 601 et seq. Although the FAR rule will itself 
have no direct impact on small business concerns, the subsequent 
supplemental policy-making at the agency level may have some impact on 
these entities. Since FISMA requires that agencies establish IT 
security policies that are commensurate with agency risk and potential 
for harm and that meet certain minimum requirements, the real 
implementation of this will occur at the agency level. The impact on 
small entities will, therefore, be variable depending on the agency 
implementation. The bulk of the policy requirements for information 
security are expected to be issued as either changes to agency 
supplements to the FAR or as internal IT policies promulgated by the 
agency Chief Information Officer (CIO), or equivalent, to assure 
compliance with agency security policies. These agency supplements and 
IT policies may affect small business concerns in terms of their 
ability to compete and win Federal IT contracts. The extent of the 
effect and impact on small business concerns is unknown and will vary 
from agency to agency due to the wide variances among agency missions 
and functions.
    An Initial Regulatory Flexibility Analysis (IRFA) has been 
prepared. The analysis is summarized as follows:

Initial Regulatory Flexibility Analysis FAC 2005-06, FAR Case 2004-018, 
Information Technology Security

    This Initial Regulatory Flexibility Analysis has been prepared 
consistent with 5 U.S.C. 603.
    1. Description of the reasons why the action is being taken.
    This interim rule amends the Federal Acquisition Regulation to 
implement the information technology (IT) security provisions of the 
Federal Information Security Management Act of 2002 (FISMA), (Title III 
of the E-Government Act of 2002 (E-Gov Act)). FISMA requires agencies 
to identify and provide information security protections

[[Page 57451]]

commensurate with security risks to Federal information collected or 
maintained for the agency and information systems used or operated on 
behalf of an agency by a contractor.
    2. Succinct statement of the objectives of, and legal basis for, 
the rule.
    The rule implements the IT security provisions of the FISMA. 
Section 301 of FISMA (44 U.S.C. 3544) requires that contractors be held 
accountable to the same security standards as Government employees when 
collecting or maintaining information or using or operating information 
systems on behalf of an agency. Security is to be considered during all 
phases of the acquisition life cycle. FISMA requires that agencies 
establish IT security policies that are commensurate with agency risk 
and potential for harm and that meet certain minimum requirements. 
Agencies are further required, through the Chief Information Officer 
(CIO) or equivalent, to assure compliance with agency security 
policies. The law requires that contractors and Federal employees be 
subjected to the same requirements in accessing Federal IT systems and 
data.
    3. Description of and, where feasible, estimate of the number of 
small entities to which the rule will apply.
    The FAR rule will itself have no direct impact on small business 
concerns. As stated in 2 above, FISMA requires that agencies 
establish IT security policies that are commensurate with agency risk 
and potential for harm and that meet certain minimum requirements. The 
real implementation of this will occur at the agency level. The impact 
on small entities will, therefore, be variable depending on the agency 
implementation. The bulk of the policy requirements for information 
security are expected to be issued as either changes to agency 
supplements to the FAR or as internal IT policies promulgated by the 
agency Chief Information Officer (CIO), or equivalent, to assure 
compliance with agency security policies. These agency supplements and 
IT policies may affect small business concerns in terms of their 
ability to compete and win Federal IT contracts. The extent of the 
effect and impact on small business concerns is unknown and will vary 
from agency to agency due to the wide variances among agency missions 
and functions.
    4. Description of projected reporting, recordkeeping, and other 
compliance requirements of the rule, including an estimate of the 
classes of small entities which will be subject to the requirement and 
the type of professional skills necessary for preparation of the report 
or record.
    The rule does not impose any new reporting, recordkeeping, or 
compliance requirements.
    5. Identification, to the extent practicable, of all relevant 
Federal rules which may duplicate, overlap, or conflict with the rule.
    The rule does not duplicate, overlap, or conflict with any other 
Federal rules.
    6. Description of any significant alternatives to the rule which 
accomplish the stated objectives of applicable statutes and which 
minimize any significant economic impact of the rule on small entities.
    There are no practical alternatives that will accomplish the 
objectives of the applicable statutes.
    The FAR Secretariat has submitted a copy of the IRFA to the Chief 
Counsel for Advocacy of the Small Business Administration. Interested 
parties may obtain a copy from the FAR Secretariat. The Councils will 
consider comments from small entities concerning the affected FAR Parts 
1, 2, 7, 11, and 39 in accordance with 5 U.S.C. 610. Interested parties 
must submit such comments separately and should cite 5 U.S.C 601, et 
seq. (FAC 2005-06, FAR case 2004-018), in correspondence.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply because the changes to 
the FAR do not impose information collection requirements that require 
the approval of the Office of Management and Budget under 44 U.S.C. 
3501, et seq.

D. Determination to Issue an Interim Rule

    A determination has been made under the authority of the Secretary 
of Defense (DoD), the Administrator of General Services (GSA), and the 
Administrator of the National Aeronautics and Space Administration 
(NASA) that urgent and compelling reasons exist to promulgate this 
interim rule without prior opportunity for public comment. This action 
is necessary to implement the requirements of the Federal Information 
Security Management Act (FISMA) of 2002, which went into effect 
December 17, 2002 and associated implementing guidance from the Office 
of Management and Budget (OMB) and National Institute of Standards and 
Technology, particularly FISMA's requirement for agencies to ensure 
contractor compliance with all current IT security laws and policies. 
The FAR does not currently provide adequate security for, or sufficient 
oversight of, the operations of Government contractors (including 
service providers), and this interim rule is necessary to ensure the 
Federal Government is not exposed to inappropriate and unknown risk.
    However, pursuant to Public Law 98-577 and FAR 1.501, the Councils 
will consider public comments received in response to this interim rule 
in the formation of the final rule.

List of Subjects in 48 CFR Parts 1, 2, 7, 11, and 39

    Government procurement.

    Dated: September 22, 2005.
Julia B. Wise,
Director,Contract Policy Division.

0
Therefore, DoD, GSA, and NASA amend 48 CFR parts 1, 2, 7, 11, and 39 as 
set forth below:
0
1. The authority citation for 48 CFR parts 1, 2, 7, 11, and 39 
continues to read as follows:

    Authority: : 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and42 
U.S.C. 2473(c).

PART 1--FEDERAL ACQUISITION REGULATIONS SYSTEM


1.602-2  [Amended]

0
2. Amend section 1.602-2 by removing from paragraph (c) 
``engineering,'' and adding ``engineering, information security,'' in 
its place.

PART 2--DEFINITIONS OF WORDS AND TERMS

0
3. Amend section 2.101 in paragraph (b) by adding, in alphabetical 
order, the definitions ``Information security'' and ``Sensitive But 
Unclassified (SBU) information'' to read as follows:


2.101  Definitions.

* * * * *
    (b) * * *
    Information security means protecting information and information 
systems from unauthorized access, use, disclosure, disruption, 
modification, or destruction in order to provide--
    (1) Integrity, which means guarding against improper information 
modification or destruction, and includes ensuring information 
nonrepudiation and authenticity;
    (2) Confidentiality, which means preserving authorized restrictions 
on access and disclosure, including means for protecting personal 
privacy and proprietary information; and
    (3) Availability, which means ensuring timely and reliable access 
to, and use of, information.
* * * * *
    Sensitive But Unclassified (SBU) information means unclassified 
information, which, if lost, misused, accessed or modified in an

[[Page 57452]]

unauthorized way, could adversely affect the national interest, the 
conduct of Federal programs, or the privacy of individuals. Examples 
include information which if modified, destroyed or disclosed in an 
unauthorized manner could cause: loss of life; loss of property or 
funds by unlawful means; violation of personal privacy or civil rights; 
gaining of an unfair commercial advantage; loss of advanced technology, 
useful to competitor; or disclosure of proprietary information 
entrusted to the Government.
* * * * *

PART 7--ACQUISITION PLANNING

0
4. Amend section 7.103 by adding paragraph (u) to read as follows:


7.103  Agency-head responsibilities.

* * * * *
    (u) Ensuring that agency planners on information technology 
acquisitions comply with the information technology security 
requirements in the Federal Information Security Management Act (44 
U.S.C. 3544), OMB's implementing policies including Appendix III of OMB 
Circular A-130, and guidance and standards from the Department of 
Commerce's National Institute of Standards and Technology.
0
5. Amend section 7.105 by adding a sentence to the end of paragraph 
(b)(17) to read as follows:


7.105  Contents of written acquisition plans.

* * * * *
    (b) * * *
    (17) * * * For Information Technology acquisitions, discuss how 
agency information security requirements will be met.
* * * * *

PART 11--DESCRIBING AGENCY NEEDS

0
6. Revise section 11.102 to read as follows:


11.102  Standardization program.

    Agencies shall select existing requirements documents or develop 
new requirements documents that meet the needs of the agency in 
accordance with the guidance contained in the Federal Standardization 
Manual, FSPM-0001; for DoD components, DoD 4120.24-M, Defense 
Standardization Program Policies and Procedures; and for IT standards 
and guidance, the Federal Information Processing Standards Publications 
(FIPS PUBS). The Federal Standardization Manual may be obtained from 
the General Services Administration (see address in 11.201(d)(1)). DoD 
4120.24-M may be obtained from DoD (see address in 11.201(d)(2)). FIPS 
PUBS may be obtained from the Government Printing Office (GPO), or the 
Department of Commerce's National Technical Information Service (NTIS) 
(see address in 11.201(d)(3)).
0
7. Amend section 11.201 by adding paragraph (d)(3) to read as follows:


11.201  Identification and availability of specifications.

* * * * *
    (d) * * *
    (3) The FIPS PUBS may be obtained from http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.itl.nist.gov/fipspubs/
, or purchased from the Superintendent of Documents, U.S. 

Government Printing Office, Washington, DC 20402, Telephone (202) 512-
1800, Facsimile (202) 512-2250; or National Technical Information 
Service (NTIS), 5285 Port Royal Road, Springfield, VA 22161, Telephone 
(703) 605-6000, Facsimile (703) 605-6900, Email: orders@ntis.gov.
* * * * *

PART 39--ACQUISITION OF INFORMATION TECHNOLOGY

0
8. Amend section 39.101 by adding paragraph (d) to read as follows:


39.101  Policy.

* * * * *
    (d) In acquiring information technology, agencies shall include the 
appropriate information technology security policies and requirements.
[FR Doc. 05-19468 Filed 9-29-05; 8:45 am]

BILLING CODE 6820-EP-S